Institutions that depend on computer systems must at present assume they have to depend on their own resources for defence against cyber attacks. As Jason Healey, the former White House Director of Cyber Infrastructure Protection, has admitted, if the United States is engaged in a cyberwar, Americans would be far better served by contacting Microsoft or AT&T rather than the Department of Homeland Security.
This high-risk problem is unlikely to be mitigated by government agencies in the short to medium term. A variety of systemic cyber protection weaknesses and increasingly aggressive attackers suggests that the intensity of cyber attacks will continue to increase over the short to medium term. Most Western governments—Sweden and Finland appear to be exceptions— are incapable of deterring or preventing trans-border cyber attacks and do not have the means to effectively retaliate or escalate after an attack or exploitation. Thus without a significant deterrent ability, it is likely that cross-border cyber attacks and exploitation will continue unabated.
The developed world is currently experiencing a period of complexity and uncertainty and is operating without an overarching political framework or ideology. Economic competition for access to scarce resources and markets is producing cooperation at one level (trade) with vicious competition at another (cyber exploitation and attacks). These can occur simultaneously between any number of states. There is a “wild west” element in this competition and conflict, and no sheriff has emerged to enforce any set of rules.
Large financial institutions and national central banks are located at the leading edge of this conflict, with little guidance from national governments on how to act or defend themselves in this environment. As a result, these institutions are left in a defensive mode against aggressive state actors, amorphous transnational hacking groups, organized crime groups and individuals.
For the rest of this paper see Occasional Paper #66 “Don’t Call Us” Governments, Cyber Security, and Implications for the Private Sector. The paper can be found at the Queens University Centre for International and Defence Policy website (publications/occasional papers) or at: http://www.queensu.ca/cidp/publications/occasionalpapers.html